Please take a moment to read http://bit.ly/demandglobalchange, to help share the message and support the initiative to tell our leaders to focus on addressing the global world problems, instead of complaining about the effects of their lack of leadership. Be a leader yourself, and share this with as many people as possible. #demandglobalchange // https://www.facebook.com/demandglobalchange

In Memory Fuzzing

Introduction

In memory fuzzing is a technique that allows the analyst to bypass parsers; network-related limitations such as max connections, buit-in IDS or flooding protection; encrypted or unknown (poorly documented) protocol in order to fuzz the actual underlying assembly routines that are potentially vulnerable.

Prior to the development of my fuzzing toolset, I was unsatisfied (for now) with all the publicly available in memory fuzzers, because most of them are just too basic and require too much prep time in advance — flow analysis, reverse code engineering, etc — which obviously has a high learning curve and time consuming tasks, and most people would rather just stick with traditional fuzzers (which usually can accomplish the exact same thing).† Yes, you DO need some reversing skills to make in memory fuzzing useful, but honestly it doesn’t really have to be all that difficult to start fuzzing and find bugs… as long as you have the right approach.

One of the approaches we do here is by tracing user input automatically at real time, and log all the important functions that process that input, and then fuzz them.† A proof of concept (Tracer.py and InMemoryFuzzer.py) is also available to download:

Download Paimei. Extract the package, go to the "installers" folder, and run the installer.

Remove C:\Python25\Lib\site-packages\pydbg\pydasm.pyd

Now you’re ready to test out Pydbg. Open command prompt, and type the following. If you no errors after importing Pydbg, that means your system now supports Pydbg:

Tracer.py: How It Works

As I previously mentioned, in order to deploy an in memory fuzzer, you must go through a good amount of analysis to identify all the functions that process your input, and log the function entry address, RETN addresses, and the argument you want to fuzz.† This makes fuzzing very time consuming, simply not something that can be done in minutes. The purpose of Tracer.py is to ease off this process, allowing the user to track the control flow and user input at real time.

This is done by first searching all the function addresses in the application, put a hook point in every one of them, and then start monitoring.† If a hooked function is detected, we log the function and the argument, and keep monitoring.† Since this happens at real time, even with the most basic tool like this can still see some kind of pattern in the log, which gives us an idea where to fuzz.

The following example shows how to recognize this pattern in Tracer.py:

Tracer.py: How To

First, open IDA.† If you’re using IDA 4.9 ( see image):

Click on the Functions tab

Select all the functions (click the first function -> hold [shift] -> select last function)

Right click -> copy -> paste on notepad.† Save it as "functions.txt" under the same directory as the script.

If you’re using IDA Pro 5.5 or higher, the Functions table should be on the left of the the pretty graph.† You can do the same thing (right click -> copy and paste) to obtain all your functions that way.

Second, open the application you want to fuzz.† You must do this before running the script because it needs to attach to the process first.

Third, now that you have a function list (functions.txt).† Go to command prompt, and type of the following (assuming you saved Tracer.py in C:\):

C:>C:\Python25\python.exe Tracer.py

Fourth, the script should find the function list file without problems.† Give it a pattern (user input) to look for, select the process you want to monitor, and the fun begins.† Note that a file named "new_functions_addrs.txt" will be created — this file contains the same function addresses, and the correct RETN addresses.† You can use this as a reference later for InMemoryFuzzer.py.

Fifth, now Tracer.py should be monitoring.† Go back to the application, feed it the same pattern, and then you’ll see which functions get triggered.† Press [CTRL]+[C] to terminate the script.

InMemoryFuzzer.py: How It Works

The idea of how the fuzzer works is simple.† Say you have a vulnerable routine at entry 0x1001BEEF (aka snapshot point), which takes the user input as [ESP+4] at the beginning of the prologue, and that function ends at address 0x1001BFEA (restore point).† We can put a breakpoint at 0x1001BEEF, another at 0x1001BFEA, and let the application run, as the following diagram demonstrates:

Wehen the execution flow hits our first breakpoint (entry) for the first time, we take a snapshot of the state (threads, stack, registers, flags, etc), modify the user input in [ESP+4], and resume execution to let the function to process our data, and hope something crashes.† If an exception is thrown somewhere in the code, we log that, restore the function state, and redirect the execution flow back to the entry (0x1001BEEF), and fuzz again with a new input, like this diagram:

Or, no exception is triggered, we end up hitting the second breakpoint, then all we have to do is restore the state, rewind, and fuzz again:

InMemoryFuzzer.py: How To

Before you use the fuzzer, you should already know the following:

Which process/dll to fuzz

The function entry address(s) (aka your snapshot points)

The restore point(s) (typically a RETN address)

Which function argument(s) to fuzz

First thing, open the application you want to fuzz again.† And if needed, change how many times you want to fuzz by editing the "maxFuzzCount" global variable in the source code.† Please note that InMemoryFuzzer.py has two modes for fuzzing:† Single routine, or multiple. Single routine mode allows the user to put every required information (function entry, restore point, argument) in one line:

C:>C:\python25\python.exe InMemoryFuzzer.py

So if we were to reuse the same example in the "How it works" section, we would be feeding the fuzzer with the following:

Multiple-Routine mode, which is my favorite mode, does not have to called from the command line.† All you must do is prepare breakpoints.txt, which contains information such as the snapshot point/restore point/argument with the same format: .† Example:

Once you have breakpoints.txt, double click on† InMemoryFuzzer.py, you’ll be asked which process to attach, trigger the vulnerable routine by feeding some user input again (does not have to be the same pattern as you did for Tracer.py) and then it’ll start fuzzing once the execution flow hits our first breakpoint. When the fuzzer is complete, there should be a newly created folder named "crashbin" under the same directory as the fuzzer.† Crash Bin is a place where InMemoryFuzzer.py stores all the crashes (htm files), and the inputs that caused them.† Here’s an example of a crash dump:

Each crash dump contains information including:

Function entry (snapshot point) address

Argument

Argument length to crash the application

Registers (and what data they’re pointing to)

Disassembled instruction

SEH chains and offsets

Input that caused the crash

After an exception is found, the rest leaves for the user to analyze.† This is where IDA Pro, or Immunity Debugger becomes handy again.

But I don’t know why you don’t automatize the extraction of functions list and start-end address of each function with IDAPython invoked from Trace.py, using IDA command-line options and a little IDAPython script. Probably was for incompatibility with an IDA 4.9 and IDAPython?

I would like to thank you for writing such a nice article. I really want to try it out, but I cannot download the two files(Tracer.py and InMemoryFuzzer.py) from the link that was provided above. Is there any other way that I could download them?

Thanks Peter for your quick response. I was able to download the pydasm from that site, but the redmine link still ask for credential, I get the connection timeout if try to hit the home page –> https://redmine.corelan.be

If possible, please assist to put these two files “Tracer.py and InmemoryFuzzer.py” onto the “free tools” section of this site.

Hi Peter, may be it’s just me, I tried to access the links (see below) and still has no luck. I really appreciate if you can send me the files via email or put into the “free tools” section on this site. Please disregard this request if time does not permit.

The problem has been privately resolved thanks to kewel’s feedback. In case other users might have the same issue, this is due to a missing Try statement in module C:\Python25\Lib\site-packages\utils\code_coverage.py (part of Paimei). Please open this file with notepad, and modify the code like so:

try: import MySQLdb
except: pass

Other similar problems (“No module named xx” error) may also be fixed with this approach.

This tutorial is out of date now I think. pydbg can’t be installed with the newer versions of python that come with immunity debugger. And the newest versions of Paimei doesn’t have pydbg installed by default, (at least there is no longer a file called pydbg.py). A updated fix for this that is newb friendly would be really cool of you guys, thanks.

Corelan Live training

Since 2011, Corelan GCV has been teaching live win32 exploit dev classes at various security cons and private companies & organizations.

Privacy Overview

a. Corelan respects your privacy. Most information accessible on or via the
Corelan Website is available without the need to provide personal information.
In certain cases you may however be requested to submit personal information. In
such case your personal information shall be treated in accordance with the General Data Protection Regulation and any amendments hereof.

b. All personal information made available by you will be treated solely for
the purpose of making available to you the requested information or services.
Your personal information will not be shared with third parties, but it may be used for authentication, support & marketing purposes in relation with services provided by Corelan.

c. We will only keep your personal information for as long as is required to
provide you with the requested information or services, or for any longer period
as may legally be required.

d. It is our goal to reasonably protect the personal information made
available by you from third parties.

e. You have the right to consult, correct, adjust or have removed your
personal details by written request to Corelan. ¬†If you decide to get your information removed, you understand and accept that you will lose all access to any resources that require the use of these personal details, such as parts of the website that require authentication.

f. When using the Corelan Website, cookies may possible be used. You do not have to accept cookies to be able to use the publicly accessible parts of Corelan Websites.¬†If you have an account and you log in to this site, we will set a temporary cookie to determine if your browser accepts cookies. This cookie contains no personal data and is discarded when you close your browser.

When you log in, we will also set up several cookies to save your login information and your screen display choices.¬† ¬†Cookies may be used to display advertisements or to collect statistics about the use of the Corelan website.

g. This privacy policy may be amended by Corelan at any time.

Strictly Necessary Cookies

Strictly Necessary Cookie should be enabled at all times so that we can save your preferences for cookie settings.

disable

If you disable this cookie, we will not be able to save your preferences. This means that every time you visit this website you will need to enable or disable cookies again.

Cookie Policy

When using the Corelan Website, cookies may possible be used. You do not have to accept cookies to be able to use the publicly accessible parts of the Corelan Website.¬†If you have an account and you log in to this site, we will set a temporary cookie to determine if your browser accepts cookies. This cookie contains no personal data and is discarded when you close your browser. When you log in, we will also set up several cookies to save your login information and your screen display choices.

We may use third party cookies to show ads and to collect anonymous information such as the number of visitors to the site, and the most popular pages.¬† The ability to show ads is an important source of income to cover the hosting fees to keep this website alive. If you prevent ads from being displayed, this website will eventually disappear.